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Layer of Protection Analysis 
Risk Management: Identify, evaluate and control Risk toa 
tolerable level. 
Understanding: Identification and evaluation 


Control: Understanding, safeguards and safeguard 
maintenance 


Management: Written descriptions of how when where why 
to accomplish risk management 


Risk=Probability* Consequence 
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Risk 


What is the What is the 
What can go probability that it impact should 


wrong? can go wrong? it go wrong? 


Two categories ~ 
Risks that can be minimized or eliminated. 


Risks that cannot - residual risks 
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Layer of Protection Analysis 


As part of the Inherent Safety Structure of the Conceptual Process Design 
framework, we need a method to evaluate risk. Our purpose in this Design 
course is to focus our attention on the significant issues ~ to work on what is 
important at the current evolution of the process design. We need, therefore, 
a method to address the question ~ 


What is safe enough? 


C. S. Howat - ChED Layer of Protection Analysis - © 2004 or j 


Layer of Protection Analysis 


‘Safe’ implies tolerable risk 
Tolerance affected by: 
Familiarity 
Likelihood 
Control 
Media 
Consequence 
Suddenness 
Personal vs. Societal 
Benefit 
Dread 


Tolerance 
ye 
> J Aversion to 
F a 
O 
S consequences 


Consequence 
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Layer of Protection Analysis 


Risk can be considered to be a matrix. This is qualitatively shown below. If 
we can calculate the probability and the consequence, we can judge whether 


the risk is: 

T (Tolerable) 

M (Moderate) 

U (Unacceptable) 


> 
= 
5 
4) 
OQ 
O 
= 
A 


Consequence 
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Layer of Protection Analysis 


LOPA: Simplified Risk Assessment 
Builds on Hazard & Operability Studies 


Evaluates single cause-consequence pair 


e 


LOPA Focus 


In the above Event Tree, we only consider independent protection layers. 
These have specific requirements. These are the 3D’s, the 3E’s and the Big I. 
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Critical Alarms, Opè 


Process Design 
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Layer of Protection Analysis 


Independent Protection Layers 


The 3D’s ~ Detect, Decide, Deflect 
The 3E’s ~ Fast Enough, Strong Enough, Big Enough 
The Big | ~ Independent 


In order for a safeguard to be considered in the layer of protection analysis 
risk assessment, the three criteria above must be met. Can the layer of 
protection detect that there is an excursion, decide to do something about it 
and deflect the excursion? Is the layer of protection fast enough in detection, 
decision and deflection? Is it strong enough to withstand the excursion? And, 
is it big enough to handle the excursion to bring terminate the excursion to a 


benign state? 


Examples: Relief Valve? 


Alarm? 
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Layer of Protection Analysis 


Local motor on/off station and 
motor status light 
(There is a redundant power 
supply to the agitator motor.) 


Catalyst drum Solvent 
inlet spout addition 


Catalyst pre- 
mix pot 


Resin 
Reactor 


Suppose in the process at left 
that improper catalyst addition 
leads to runaway initiating 
events. 


Which of instruments are 


Independent Protection 
Layers? 
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Layer of Protection Analysis 


Seen: The general procedure is shown 
Saati at left. Basically, we'll identify a 
en cause/consequence pair, identify 
IPL’s, evaluate the process as is, 
evaluate risk, modify process and 


re-evaluate. 


Require: 


1.Initiating Event Probability 


IDENTIFY 
CONSEQUENCE 


2.Consequence Measure 


IDENTIFY 


RELATED IPLS 3.IPL Probability 


4.Risk Tolerance 
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Layer of Protection Analysis 


Develop Scenario ~ 


‘Initiating Event from HazOp 
(e.g. Failure to turn on mixer) 


«Consequence 
(e.g. Vessel rupture with release) 


eEnabling Events 
(e.g. Operation time when catalyst is made up) 


Must include all steps and enabling events between initiation and 
consequence. 
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Identifying and Developing Candidate Scenarios, Beginning with HAZOP 


LOPA Information and Data 


HAZOP Information Not Information Used Data Used in 
information Used in LOPA in LOPA LOPA 


Scenario 
background and 
description 


Initiating 
event (one select- 
ed to represent 
scenario) 


initiating 
event 


frequency 
10%/yr 


I 
l Other causes 
'__»{ that represent 
tower risk 
Consequences Severity 
Conseqüences Eee nee le ee. (one at a time category 
used) or$ 
l Consequences 
BS not meeting 
company criteria, 
Independent PFOD f 
Safeguards o r SSeS SSS protection layers each IPL 
i {IPLs) 
l Safeguards 
1— —»{ below definition of 
3 IPL 
IPLs not 
identified by 


HAZOP team 


PFOD for 
each IPL 


Probability 
for event or 
conditions 


Risk 
tolerable? 


Continue 
to next 
consequence/ 


Enabling 
events and 
conditions 


Additional 
mitigation to reach 
tolerable risk 


reje 
recommendations) 


7 i a Oe 
l 
l Unnecessary* 
1 additional mitigation 
ject 


cause pair 


Legend 
IPL = Independent protection layer 7 risk for the process ^ 


PFOD = ii 
‘OD = Probability of faure on demand \ and compare to pro- > 


* These are still listed in the documentation 
for the LOPA scenario 


od cess risk criteria 7 


This gives a general flowchart 
of the methodology that we 
can follow during the design 
evolution. 


As with all of the other 
contributing methods, this 
should not be interpreted as a 
step-by-step procedure. It is 
a structure by which we can 
evaluate the risk associated 
with our process design. 


Early in the design evolution, 
we do not want to do this level 
of detail. As the design nears 
the Base Case tier 
completion, this level of detail 
becomes necessary. 
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Layer of Protection Analysis 


External 
Events 


External 
Events 


Operator 
errors 


a human 
rrors 


Process Events 


Equipment 
failures 


Behaviors 


Sia Oe ee 


Process safety AN 
Engineering management/ aredi ia eee 


standards risk 
management | Management | management 


Process management systems Personnel management systems 
Company/plant management systems 


Procedures 


Behaviors- 
based safety 
management 
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Work with 
dominant 
event 


rl 


Layer of Protection Analysis 


Initiating Event Frequencies (from AIChE 535) 


Human error (routine, once-per-month opportunity) 1/10 years 
Human error (nonroutine/low stress) 1/10 years 
Basic process control loop failure (continuous use) 1/10 years 


Basic process controi loop failure (in this mode of 4/100 years* 
operation <10% of year) l ; 
l 1/100 years* 


*Note: Fire frequency for an individual process system of 1/100 years is conservative. 
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Layer of Protection Analysis 


Example of a Value 
Frequency Range from | Chosen by a Company for 
Initiating Event Literature (/yr) Use in LOPA (/yr) 


Pressure Vessel Rupture 105 to 107 


5 -5 
Piping Leak (10% section) - 100 m 102to 104 
Atmospheric Tank Failure 10° to 105 


Gasket/Packing Blowout 10? to 10* 1x10? 
1x104 


Turbine/Diesel Engine Overspeed with Casing 107 to 104 
Breach ; 


backhoe, vehicle, etc.) 


Operator Failure (to execute a complete, routine 10? to 10°/Opportunity 41x107/Opportunity 
procedure; well-trained operator, unstressed, not 
fatigued) 


Initiating Event 
Frequencies 
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Layer of Protection Analysis 


Enabling Events 
Is there a unique period in the operation for the risk calculation? 


Is the failure specific to one task in the process or is it continuous? 


We must account for the time 
that the process is ‘at risk’. 
The risk assessment only applies during 
these ‘at risk’ time. 
Enabling Events 
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Layer of Protection Analysis 


Consequence 


As part of LOPA, you 
need to define where 
the analysis stops, 
e.g. Size and 
magnitude of 
release, or Likelihood 
of impact. 


Consequences of a flammable and/or toxic release 
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Layer of Protection Analysis 


= 
Consequence Size 


- 


10,000- to 100,000- 
pound Release 


This approach 
s easy for us to 
se. We don't 
need to model 
Category § cateeoyS downstream 
exposure. We 
Category 5 don’t need to 


Release 


1- to 10- 10- to 100- 100- to 1,000- 3 
Characteristic 1,000- to 10,000. 


>100,000- 
pound Release pound Release pound Release pound Release 


pound Release 


Extremely toxic, 
above eee Category 3 Category 4 Category 5 Category 5 


Category 5 Category 5 


— aera 


Extremely toxic, below B.P. 
or Category 2 Category 3 Category 4 
Highly toxic, above B.P, ` 


Category 5 


Highly toxic, below B.P. 
or Category 2 


Category 2 Category 3 Category 4 Category 5 


Fiammable, above B.P. 


Category 1 


Category 2 


Category 2 Category 3 Category 4 Category 5 


Flammable, below B.P. 


E E E 
to know the 
Vessel Rupture Vessel Rupture amount, which 
"400 t0 300 psig | soa Wwe have from 
Category 4 Category 5 our normal 
process design 
work, and the 


Combustible liquid 


Category 1 Category 1 


*B.P, = atmospheric boiling point 


Consequence Category 


Spared or 
Nonessential Plant Outage Plant Outage Plant Outage 
Equipment <1 Month 1 to 3 Months >3 Months 


Consequence 
Characteristic 


Mechanical damage to large 


main product plant Category 2 Category 3 Category 4 Category 4 


Mechanical damage to smal! 
by-product plant 


a TEN a 


Category 2 Category 2 Category 3 Category 4 Category 4 Category 5 


Consequence Cost ies ay a level of toxicity. 


{U.S. dollars) 


Consequence 


À $100,000 ~ $1,000,000 = 
Characteristic 


$1,000,000 $10,000,000 


$0 - $10,000 $10,000 — $100,000 > $10,000,000 ` 


Overall cost of event Category 1 Category 2 Category 3 


Category 4 Category 5 ` 


Easy to use/Don't need to model/Not in harm 
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| Personnel 


Layer of Protection Analysis 


Table 4.2 Simplified injury/Fatality Categorization 
(combined with other loss categories) 


Category.1/2 


Minor or no injury, no lost time 


Community 


No injury, hazard, or annoyance to public 


Environment 


Recordable event with no agency notification or permit violation 


Facility 


Personnel 


Minimal equipment damage at an estimated cost of less than $100,000 and with no 
loss of production 


Category 3 


Single injury, not severe, possible lost time 


Community 


| Odor or noise annoyance complaint from the public 


Environment 


| Release that results in agency notification or permit violation 


| Facility 


Personnel 


Some equipment damage at an estimated cost greater than $100,000 and with 
minimal loss of production 


-Category 4 


One or more severe injuries 


Community 


1 
One or more minor injuries 


Environment 


t 


Significant release with serious offsite impact 


Facility 


Personnel 


Major damage to process area(s) at an estimated cost greater than $1,000,000 or 
some loss of production 


“Category 5” 


Fatality or permanently disabling injury 


Community 


One or more severe injuries 


Environment 


Significant release with serious offsite impact and more likely than not to cause 
immediate or long-term health effects 


Facility 


Lu 


Major or total destruction of process area(s) at an estimated cost greater than 
$10,000,000 or a significant loss of production 
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Layer of Protection Analysis 


Example (Slide 11) ~ 

The reactor can contain up to 10,000 gallons of xylene and 500 gallons of 
acrylic acid. The reactor typically operates at 120°F but during a runaway 
excursion, the temperature can spike sufficiently high to boil xylene. 


What is consequence of interest? 


What is the consequence severity category? 


When addressing the question of severity of the consequence, you are to 
analyze based on the unmitigated consequence, i.e. as if the IPL’s were not 
present. 


22 =. 
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Layer of Protection Analysis 


Risk Tolerance 
LOPA-Based Judgment Criteria 
Risk Matrix 


e Tolerable Risk Decision 


The example on the following page is from a multi-national petrochemical 
company. (Company name not published. Table from AIChE 535) 
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Risk 
Tolerance 
Matrix 


Layer of Protection Analysis 


Consequence 
Category 


Frequency of 
Consequence 


(per year)* Er 
ke j 


Category 1 


Optional 
(evaluate alternatives) 


Optional 
(evaluate alternatives) 


H- 


No further action 


No further action 


No further action 


No further action 


No further action 


Category 2 


Optional 
(evaluate alternatives) 


Optional 
(evaluate alternatives) 


Optional 
(evaluate alternatives) 


No further action 


No further action 


No further action 


No further action 


*For example, 10? is equivalent to 1/100 years. 


Category 3 Category 4 Category 5 


Action at next 


opportunity (notify Immediate action 


(notify corporate 


Immediate action 
(notify corporate 


corporate - 
management) management) management) 
Action at next | diat ti 
Optional opportunity (notify E 
(evaluate alternatives) corporate (notify corporate 
management) management) 


Action at next 
opportunity (notify 
corporate 
management) 


Action at next 

opportunity (notify 
corporate 

management) 


Optional 
(evaluate alternatives) 


Action at next 


Optional Optional Opportunity (notify 
(evaluate alternatives) | (evaluate alternatives) corporate 
management) 


Optional 
(evaluate alternatives) 


Optional 
(evaluate alternatives) 


No further action 


Optional 
(evaluate alternatives) 


No further action No further action 


No further action No further action No further action 
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Layer of Protection Analysis 
With this matrix, we can evaluate the process in an unmitigated form, ina 
current instrumentation form and in a modified form. 
Ex. Reactor Problem 


Human Error 10° 
PSV 102 


So frequency is 10-2 


Category 5 Release (Justify) 


Immediate Action 
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Layer of Protection Analysis 


Independent Protection Layers 


Minimum 
Independent Protection Layer PFOD 


Basic Process Control Systems PFOD: Probability of Failure 
Automatic control loop (If independent of the initiating event) 101 
on Demand 


Human Intervention 


l Manual response in field with more than 10 minutes available for response 101 
(if sensor/alarm is independent of the initiating event and other IPLs, and operator | P L 


z Independent 
training included required response} . 
Manual response in field with more than 40 minutes available for response 402 P rotecti O n Laye r 


(if sensor/alarm is an independent SIF and operator training included required 
response) 


Safety Integrity Level 


Manual response to abnormal readings collected regularly on a checklist, the limits 101 S | L s 
are stated on the checklist, and the checklist is used in practice (operator training 
requires use of checklist; use of checklist audited > 2łyear) 


Passive Devices 


Secondary containment such as a dike or underground drainage system 
(If good administrative contro! over drain valves exists} 


Relief Devices 


Spring-loaded relief valve or rupture disks in clean service * 


Safety Interlocks (per ISA 584.01 Standard) 


SIL (class) 3 interlock 105 — 104 
(Provided independent of other interlocks) 


Only one credit for BPCS if thru 
same DCS. 


SIL (class) 2 interlock 10? 193 
(Provided independent of other interlocks) 


SIL (class) 1 interlock 10t — 10? 
(Provided independent of other interlocks) 


*Claiming a relief valve or rupture disk in potentially plugging or dirty service is problematic, and a value “a 
26 of 107 or less should be used even with good controls to prevent negation of relief valve functioning C. S. Howat - ChED Layer of Protection Analysis - © 2004 4 


Layer of Protection Analysis 


So, what do we do with reactor? 
IPL’s? 

Run light on agitator? 

Procedures (Operating Instructions)? 
Checklist? 

Training? 

Temperature indicators on reactor? 
High temperature alarm on reactor? 


PSV on reactor 


Yes/no PFOD 
Yes/no 
Yes/no 
Yes/no 
Yes/no 
Yes/no 
Yes/no 


Yes/no 


IPL Credit= 
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Now what? 


Layer of Protection Analysis 
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Layer of Protection Analysis 


Safety Instrumented System 
(SIS) 


A SIS has dedicated 
instrumentation to protect 
against the excursion. These 
are not part of the basic 
process control system 
(BPCS) and are therefore, 
independent. These are 
expensive with Class 3 


designs rarely used in the CPI. 


SIS Structures 
Logic Solver Final Elements 


From BPCS— — — | 


Sensors 
Class 3 Design 


etre a Ges, # ee a 


Sensors Logie Solver Final Elements 
Qe iese soer Tou] | 
G — m a ser | : 
& zan 


Class 2 Design 


o O Y,” S 
(X) In | Logic Solver From BPCS— — — | 
[noo soner | ou | — — — 7 | 
X)}—in | rosie soner ] | 


BPCS 


Test 
Valve 


Class 1 Design 


nc ee ee ee A 
From BPCS— ~~ — | 
In| Logic Solver | Out Se eee eee ere 
l i 


Note: Note 2 

1. Redundant sensor values are available to each logic solver for diagnostic purposes. 

2. A BPCS control valve may replace the dedicated SIS valve if failure of the BPCS control valve or failure of the BPCS is not one of the 
credible initiating events. 

3. The design architecture shown above provides the availability listed below at the test frequency shown for its class. 


Interlock Class Availability Range 
3 0.999-0.9999 

2 0.99-0.999 12 Months 

1 0.90-0.99 4 Years 


Test Frequency Required 


4.Test valves may-be automated block valves controlled from the SIS or manual block valves equipped with limit switches. Limit switches 
must be inputs to the SIS to ensure that manual! block valves are not inadvertently left in the incorrect position. 
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Layer of Protection Analysis 


In Summary 

Decide on Scenario 
Describe Initiating Event 
Describe Consequence 
Determine Enabling Events 

Determine Initiating Event Probability 

Determine Unmitigated Event Consequence 

Determine Risk Using Risk Matrix 

Evaluate IPL’s 

Determine Risk 


Modify Until Acceptable 
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